andrewnimmo/gist:53a2769c6371743f3e9c0d4996320725

## gistfile1.txt
acl_check_dkim:
  # Skip this whole acl if header.d contains an @ sign because exim is
  # breaking down the header.i part (which usually is an email address)
  # bit by bit, working towards just the domain name.
  accept  condition      = ${if match{$dkim_cur_signer}{\N@\N}}

  accept  dkim_status    = none
          sender_domains = KNOWN_DKIM_SIGNERS
          dkim_signers   = KNOWN_DKIM_SIGNERS
          condition      = ${if eqi{$sender_address_domain}{$dkim_cur_signer} {yes}{no}}
          log_message    = Possible DKIM Forgery: Unsigned message from $sender_address_domain
          add_header     = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for required domain: $dkim_cur_signer)

  accept  dkim_status    = none
          !sender_domains = KNOWN_DKIM_SIGNERS
          !dkim_signers  = KNOWN_DKIM_SIGNERS
          set acl_m_dkim_hdr = 1
          add_header     = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for $dkim_cur_signer)

  warn    condition      = ${if eq {$acl_m_dkim_hdr}{1} {no}{yes}}
          set acl_m_dkim_hdr = 1
          add_header     = :at_start:X-DKIM: Exim $version_number on $primary_hostname

  accept  dkim_status    = pass
          add_header     = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector

  warn    dkim_status    = invalid : fail
          add_header     = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector reason="$dkim_verify_reason"

  deny    dkim_status    = fail
          sender_domains = KNOWN_DKIM_SIGNERS
          dkim_signers   = KNOWN_DKIM_SIGNERS
          condition      = ${if eq {$dkim_key_testing}{1} {no}{yes}}
          message        = Rejected: $dkim_verify_reason

  accept
	acl_check_dkim:
	# Skip this whole acl if header.d contains an @ sign because exim is
	# breaking down the header.i part (which usually is an email address)
	# bit by bit, working towards just the domain name.
	accept condition = ${if match{$dkim_cur_signer}{\N@\N}}

	accept dkim_status = none
	sender_domains = KNOWN_DKIM_SIGNERS
	dkim_signers = KNOWN_DKIM_SIGNERS
	condition = ${if eqi{$sender_address_domain}{$dkim_cur_signer} {yes}{no}}
	log_message = Possible DKIM Forgery: Unsigned message from $sender_address_domain
	add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for required domain: $dkim_cur_signer)

	accept dkim_status = none
	!sender_domains = KNOWN_DKIM_SIGNERS
	!dkim_signers = KNOWN_DKIM_SIGNERS
	set acl_m_dkim_hdr = 1
	add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for $dkim_cur_signer)

	warn condition = ${if eq {$acl_m_dkim_hdr}{1} {no}{yes}}
	set acl_m_dkim_hdr = 1
	add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname

	accept dkim_status = pass
	add_header = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector

	warn dkim_status = invalid : fail
	add_header = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector reason="$dkim_verify_reason"

	deny dkim_status = fail
	sender_domains = KNOWN_DKIM_SIGNERS
	dkim_signers = KNOWN_DKIM_SIGNERS
	condition = ${if eq {$dkim_key_testing}{1} {no}{yes}}
	message = Rejected: $dkim_verify_reason

	accept